[GTALUG] why I like shared libraries -- no longer a popular position
D. Hugh Redelmeier
hugh at mimosa.com
Sat Sep 23 00:18:03 EDT 2023
<https://arstechnica.com/security/2023/09/incomplete-disclosures-by-apple-and-google-create-huge-blindspot-for-0-day-hunters/>
A bug was found (painfully -- a zero day) in Apple's Safari and
(separately) in Google's Chrome. This is a pretty serious bug -- it was
used to spy on an opposition politician in Egypt.
It is the same bug, and this was not reported.
It turns out that the bug is in libwebp. "WebP codec is a library to
encode and decode images in WebP format."
libwebp is used in a lot of programs. On my Fedora 38 system, it is a
shared library so it can be fixed in one update. Except where the library
is copied (for example, statically linked, or used in a container of some
sort).
Electron is one thing that requires copies and the article lists a lot of
applications built on Electron
What a mess. What a mistake.
More information about the talk
mailing list